sys/web/nginx.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

{ config, lib, ... }:
with lib; let
  cfg = config.local.web;
  inherit (config.local) domains;
in
{
  options.local.web = {
    enable = mkEnableOption "web server";

    ownedCerts = mkOption {
      type = with lib.types; listOf str;
      default = [ ];
    };
  };

  config = mkIf cfg.enable {
    services = {
      fail2ban.jails = {
        # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
        nginx-botsearch.settings = {
          # Usar log en vez de journalctl
          # TODO: Pasar todo a systemd?
          backend = "pyinotify";
          logpath = "/var/log/nginx/*.log";
          journalmatch = "";
        };

        nginx-bad-request.settings = {
          backend = "pyinotify";
          logpath = "/var/log/nginx/*.log";
          journalmatch = "";

          maxretry = 10;
        };
      };

      nginx = {
        enable = true;

        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;

        sslDhparam = config.security.dhparams.params.nginx.path;

        clientMaxBodySize = "42M";

        virtualHosts = { };
      };
    };

    local.certs = listToAttrs (map
      (name: {
        inherit name;
        value.enable = true;
      })
      cfg.ownedCerts);

    networking.firewall.allowedTCPPorts = [ 80 443 ];

    security = {
      acme.certs = listToAttrs (map
        (name: {
          name = domains.${name}.main;
          value = {
            group = mkDefault config.services.nginx.group;
          };
        })
        cfg.ownedCerts);

      dhparams.params.nginx = { };
    };
  };
}